The Case for Increased Security Investment in a Guarded Environment

The financial services sector is arguably the most advanced private sector for intelligence gathering, security information sharing, and investment in cyber security controls. For those of us who have been involved in cyber security for the last few years, we have the experienced periods of high threat activity, such as the al-Qassam Cyber Fighters and Operation Ababil, as well as periods of relative calm.

But how can banks, insurance companies, and others in the financial industry continue to justify their increasing investment in cyber security during long periods of relative calm?

Like many sectors, the financial industry monitors cyber threats and publishes an overall cyber threat level. The levels are defined as:

Guarded - Routine Operations/General Threat Environment

Elevated - General or Directed Threat

High - Credible Threat or Significant Sector Threat has Occurred

Severe - Credible Intel of Imminent Cyber Threat or Sector Incident

The threat level for the sector is generally at the "Guarded" level, with short periods of "Elevated" or "High". While I agree that the situation today is Guarded, with no general or directed threat to justify an Elevated level, there are a number of factors that raise concern in the finance sector:

1) Unprecedented level of attack activity:

As shown in the Akamai Q4 2015 State of the Internet Security Report, the number of attacks is increasing dramatically. Each dot on the chart below represents a DDoS attack that Akamai mitigated for a customer. This two year look back makes it very obvious that the the level of attack activity has grown tremendously.

Over half of the attacks that Akamai mitigates now include multiple vectors. For example, an attack against a customer may start as a SYN flood, switch to a DNS attack, and then change again to Layer 7 GET flood. In Q4, 56% of all DDoS attacks were multiple vector attacks, up from 42% in Q4 2014. Attacks such as these suggest increased sophistication of the attackers, and require multiple mitigation strategies.

The banking industry had now experienced a new and disturbing trend of attacks again core systems and payment services. Examples include:

ATM roll back bank robbery - Kaspersky Labs reported a heist against a Russian bank in which the thieves gained control of back end systems to "roll back" account balances, as accomplices withdrew cash from ATMs.

Hackers steal $100M from Bangladesh Bank - Criminals have moved up the food chain significantly, and are now able to send spoofed interbank transfer requests directly to central banks.

As depicted in the diagram below, although the industry remains mainly at a Guarded threat level, the associated level of risk continues to increase year after year. In this example, a bank that invested and built out security controls to fully mitigate an Elevated threat level in 2013 may not even have sufficient controls to cover themselves at a Guarded level in 2016. If you have not reviewed your security controls for two or three years, you likely have an accumulated deficit and higher level of risk exposure given today's threats.

Regular, monthly threat briefs and summaries to executives and board members may be one technique to help keep your company committed to maintaining the proper level of security controls, and to keep the investment dollars flowing. But don't just talk cyber: translate cyber incidents and war stories into a discussion of risk. Security information sharing isn't just for security professionals, it's also for the executives ultimately responsible for the security of the firm.

We're Social

Akamai secures and delivers digital experiences for the world’s largest companies. Akamai’s intelligent edge platform surrounds everything, from the enterprise to the cloud, so customers and their businesses can be fast, smart, and secure. Top brands globally rely on Akamai to help them realize competitive advantage through agile solutions that extend the power of their multi-cloud architectures. Akamai keeps decisions, apps, and experiences closer to users than anyone — and attacks and threats far away. Akamai’s portfolio of edge security, web and mobile performance, enterprise access, and video delivery solutions is supported by unmatched customer service, analytics, and 24/7/365 monitoring. To learn why the world’s top brands trust Akamai, visit www.akamai.com, blogs.akamai.com, or @Akamai on Twitter. You can find our global contact information at www.akamai.com/locations.